Jailbreaking your iOS device may have gotten you all the coolest tweaks and apps but it also has its own perils. A data-robbing malware name KeyRaider has stolen over 225,000 user credentials from users with jailbroken devices. It has been given this name as it steals Apple IDs, private keys, certificates and purchasing information.
If you’re not familiar with the term “Jailbreaking”. it’s a process which allows iOS users to bypass their devices security in order to install unapproved apps and tweaks. This term is synonymous to ‘Rooting” in Android. Jailbreak apps allow users to personalize the devices with added functionality like themes, launchers, file managers, 3rd party keyboards and more.
There has been a decline in jailbreaking as Apple is constantly improving iOS by adding customization options like widgets, custom keyboards and more.
The malware was discovered last August by cyber security firm Palo Alto Networks in cooperation with WeipTech, which is made of users from a large Apple fan-site called Weiphone, based in China. They found the accounts on a server while analyzing suspicious user-reported iOS tweaks. Many people believe KeyRaider is the most damaging malware for iOS devices.
KeyRaider was distributed to the jailbroken iPhones through Cydia repositories, a platform which contains apps designed to run on jailbroken iOS devices. The KeyRaider malware has affected a large number of users in China and 17 other countries including the US, Russia, Japan, UK, Canada, Japan, Singapore, France, Australia, Spain, Israel, Germany, Italy, South Korea among others. Also, the malware is suspected to have originated from China, as reported by Palo Alto Networks Unit 42.
Apple cannot remove the malware from the infected phones because they’re jailbroken. Because jailbreaking routes the user around the built-in security measures, the devices are open up to malware attacks like this. If the user doesn’t remove the malware from the phone, more credentials will be stolen.
KeyRaider slips into the core layer of an iPhone and steals apple IDs and device GIDs by intercepting the devices iTunes traffic. It also disables local and remote unlocking functions on infected devices.
Users infected with KeyRaider may fall victim to
- Distributed Denial of Service (DDoS) Attacks
- Data Theft
Prevention and Removal
If you don’t want to get infected with KeyRaider or any other malware, you must not jailbreak your device. If you’re jailbroken and want to go revert, use this guide. It’s also important you make sure you always have the latest updates. Apple is doing enough to protect you from malicious attacks. People say “Jailbreaking breaks you out of Apples cage” but the truth is that cage is there to protect you. Also, if you’re jailbroken and you’ve not installed apps from suspicious repos, you’re mostly safe, too.
First of all you need to check if your credentials have been stolen. Palo Alto, together with WeipTech have put up a web tool to check if your account has been compromised.
- Visit http://weiptech.org/. The website is in Chinese but you can translate into English if you’re using Google Chrome.
- Simply enter your email address associated with your email account and search to find out if your Apple ID has been compromised.
- If you’ve been compromised, change your password immediately and enable two-step verification for your account.
Here is how you can fix a compromised device – according to Palo Alto Networks.
- Install OpenSSH server app through Cydia
- Connect to your device through the SSH protocol
- Go to /Library/MobileSubstrate/DynamicLibraries/ and grep for these strings under this directory:
- If any Dynamic Library file contains any of these strings, delete it. Also, delete any plist file with the same file and then reboot the device.
If you can’t use the earlier method, this should suffice.
- Install iFile or any root file manager via Cydia
- Add the following repository to Cydia: http://wolfposd.gitbut.io
- Search for and install DylibSeach and launch it.
- Getting red crosses for files means your device is infected. Take note of the infected files, navigate to /Library/MobileSubstrate/DynamicLibraries/ with your file manager and delete them.
You can fallow the research guide prepared by Palo Alto Networks containing KeyRaiders capabilities and solutions.